fix: stabilize launchd paths and appcast secret scan

2026-03-11 23:10:29 +00:00 · 2026-03-09 08:37:37 +00:00
parent f9706fde6a
commit 6c579d7842
4 changed files with 14 additions and 31 deletions
--- a/.detect-secrets.cfg
+++ b/.detect-secrets.cfg
@@ -41,3 +41,5 @@ pattern = grep -q 'N[O]DE_COMPILE_CACHE=/var/tmp/openclaw-compile-cache' ~/.bash
 pattern = env: \{ MISTRAL_API_K[E]Y: "sk-\.\.\." \},
 pattern = "ap[i]Key": "xxxxx",
 pattern = ap[i]Key: "A[I]za\.\.\.",
+# Sparkle appcast signatures are release metadata, not credentials.
+pattern = sparkle:edSignature="[A-Za-z0-9+/=]+"
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -71,6 +71,8 @@ repos:
          - 'ap[i]Key: "A[I]za\.\.\.",'
          - --exclude-lines
          - '"ap[i]Key": "(resolved|normalized|legacy)-key"(,)?'
+          - --exclude-lines
+          - 'sparkle:edSignature="[A-Za-z0-9+/=]+"'
  # Shell script linting
  - repo: https://github.com/koalaman/shellcheck-precommit
    rev: v0.11.0
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -153,7 +153,8 @@
        "env: \\{ MISTRAL_API_K[E]Y: \"sk-\\.\\.\\.\" \\},",
        "\"ap[i]Key\": \"xxxxx\"(,)?",
        "ap[i]Key: \"A[I]za\\.\\.\\.\",",
-        "\"ap[i]Key\": \"(resolved|normalized|legacy)-key\"(,)?"
+        "\"ap[i]Key\": \"(resolved|normalized|legacy)-key\"(,)?",
+        "sparkle:edSignature=\"[A-Za-z0-9+/=]+\""
      ]
    },
    {
@@ -180,29 +181,6 @@
        "line_number": 15
      }
    ],
-    "appcast.xml": [
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "appcast.xml",
-        "hashed_secret": "7afea670e53d801f1f881c99c40aa177e3395bfa",
-        "is_verified": false,
-        "line_number": 365
-      },
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "appcast.xml",
-        "hashed_secret": "6e1ba26139ac4e73427e68a7eec2abf96bcf1fd4",
-        "is_verified": false,
-        "line_number": 584
-      },
-      {
-        "type": "Base64 High Entropy String",
-        "filename": "appcast.xml",
-        "hashed_secret": "c0baa9660a8d3b11874c63a535d8369f4a8fa8fa",
-        "is_verified": false,
-        "line_number": 723
-      }
-    ],
    "apps/android/app/src/test/java/ai/openclaw/android/node/AppUpdateHandlerTest.kt": [
      {
        "type": "Hex High Entropy String",
@@ -13035,5 +13013,5 @@
      }
    ]
  },
-  "generated_at": "2026-03-09T06:30:58Z"
+  "generated_at": "2026-03-09T08:37:13Z"
 }
--- a/src/daemon/launchd.ts
+++ b/src/daemon/launchd.ts
@@ -276,8 +276,8 @@ export async function uninstallLegacyLaunchAgents({
    return agents;
  }

-  const home = resolveHomeDir(env);
-  const trashDir = path.join(home, ".Trash");
+  const home = toPosixPath(resolveHomeDir(env));
+  const trashDir = path.posix.join(home, ".Trash");
  try {
    await fs.mkdir(trashDir, { recursive: true });
  } catch {
@@ -323,8 +323,8 @@ export async function uninstallLaunchAgent({
    return;
  }

-  const home = resolveHomeDir(env);
-  const trashDir = path.join(home, ".Trash");
+  const home = toPosixPath(resolveHomeDir(env));
+  const trashDir = path.posix.join(home, ".Trash");
  const dest = path.join(trashDir, `${label}.plist`);
  try {
    await fs.mkdir(trashDir, { recursive: true });
@@ -415,9 +415,10 @@ export async function installLaunchAgent({
  }

  const plistPath = resolveLaunchAgentPlistPathForLabel(env, label);
-  const home = resolveHomeDir(env);
+  const home = toPosixPath(resolveHomeDir(env));
+  const libraryDir = path.posix.join(home, "Library");
  await ensureSecureDirectory(home);
-  await ensureSecureDirectory(path.join(home, "Library"));
+  await ensureSecureDirectory(libraryDir);
  await ensureSecureDirectory(path.dirname(plistPath));

  const serviceDescription = resolveGatewayServiceDescription({ env, environment, description });